Skip to main content

OpenFGA CVE-2026-55689

HIGH
Improper Authentication (CWE-287)
2026-06-19 https://github.com/openfga/openfga GHSA-hcxc-wf8j-23hv
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Attacker needs a valid token from the shared issuer (PR:L), reaches the API over the network (AV:N/AC:L), and gains full read/write to authorization data (C:H/I:H), with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jul 14, 2026 - 01:45 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 14, 2026 - 01:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 01:37 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 01:37 NVD
MEDIUM HIGH
CVSS changed
Jul 14, 2026 - 01:37 NVD
6.8 (MEDIUM) 8.1 (HIGH)
Source Code Evidence Fetched
Jun 19, 2026 - 15:50 vuln.today
Analysis Generated
Jun 19, 2026 - 15:50 vuln.today

DescriptionNVD

Description

OpenFGA's OIDC authenticator skipped JWT audience (aud) validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA.

Preconditions

This applies if the following preconditions are met:

  1. You run OpenFGA with authn.method set to oidc.
  2. You configured authn.oidc.issuer but did not set

authn.oidc.audience (--authn-oidc-audience / OPENFGA_AUTHN_OIDC_AUDIENCE).

Fix

Upgrade to OpenFGA 1.18.0 or greater. OpenFGA now refuses to start in oidc mode unless both authn.oidc.issuer and authn.oidc.audience are set, and the aud claim is always validated.

Acknowledgements

OpenFGA would like to thank https://github.com/0xVijay for the report.

AnalysisAI

Authentication bypass in OpenFGA versions 1.17.1 and earlier allows a validly-signed JWT issued for an unrelated service to authenticate to OpenFGA, because the OIDC authenticator silently skipped JWT audience (aud) validation whenever authn.oidc.audience was left unset. Any deployment using authn.method=oidc with a configured issuer but no configured audience trusts every token minted by that issuer, so an attacker holding a legitimate token for a different service behind the same identity provider gains full access to OpenFGA's authorization data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid JWT from shared issuer
Delivery
Send token to OpenFGA OIDC-authenticated API
Exploit
aud claim silently unvalidated
Execution
Token accepted as authenticated
Impact
Read/modify authorization tuples

Vulnerability AssessmentAI

Exploitation Exploitation requires OpenFGA to be deployed with authn.method set to oidc and authn.oidc.issuer configured while authn.oidc.audience (--authn-oidc-audience / OPENFGA_AUTHN_OIDC_AUDIENCE) is left unset - this exact non-default combination is what disables aud validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) indicates a network-reachable, low-complexity bypass requiring some pre-existing privilege - consistent with the attacker needing a legitimate token from the shared issuer rather than nothing at all (PR:L, not PR:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization runs OpenFGA in oidc mode sharing a corporate identity provider with several internal apps, and never set authn.oidc.audience. An attacker who legitimately holds (or obtains) a validly-signed token issued by that IdP for an unrelated internal service presents it to OpenFGA's API; because the aud claim is not checked, the token is accepted and the attacker can read and modify authorization tuples. …
Remediation Vendor-released patch: upgrade OpenFGA to 1.18.0 or greater (release https://github.com/openfga/openfga/releases/tag/v1.18.0, fix commit 44596773b2e62738720ef215bf7fa04352954271); Helm chart users should move to openfga-0.3.9 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all OpenFGA instances running version 1.17.1 or earlier using OIDC authentication without an explicit audience value configured-these deployments accept tokens from any service using the same identity provider. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55689 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy